吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 3688|回复: 1
收起左侧

[KeyGenMe] KeygenMe源码+算法

[复制链接]
yypE 发表于 2015-6-12 11:56
CM是什么?Crackme是什么?这是什么东西?楼主发的什么?
他们都是一些公开给别人尝试破解的小程序,制作 Crackme 的人可能是程序员,想测试一下自己的软件保护技术,也可能是一位 Cracker,想挑战一下其它 Cracker 的破解实力,也可能是一些正在学习破解的人,自己编一些小程序给自己破解,KeyGenMe是要求别人做出它的 keygen (序号产生器), ReverseMe 要求别人把它的算法做出逆向分析, UnpackMe 是要求别人把它成功脱壳,本版块禁止回复非技术无关水贴。

本帖最后由 yypE 于 2015-6-12 12:03 编辑

昨晚无脑写的一KM,今天被人追了个码出来...才想到这码在内存中是明码,哈哈下次得注意咯...

KM传送门:
http://www.52pojie.cn/thread-373110-1-1.html

源码如下:
[C++] 纯文本查看 复制代码
#include "iostream.h"
#include "stdio.h"
#include "math.h"
#include "VirtualizerSDK.h"

int code[]=
{
        149314,149314,138208,85146,39488,134506,119698,123400,124634,39488,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
                135740,95018,124634,54296,129570,125868,39488,149314,136974,144378,
                46892,141910,124634,124634,39488,143144,128336,129570,141910,39488,
                38254,39488,75274,75274,75274,75274,75274,75274,75274,75274,
                143144,124634,148080,143144,39488,129570,135740,39488,149314,136974,
                38254,75274,75274,75274,75274,75274,75274,75274,75274,75274,
                144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
                38254,75274,0,39488,39488,92550,124634,149314,127102,124634,
                144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
                38254,135740,95018,124634,39488,120932,149314,39488,149314,149314,
                135740,149314,39488,138208,140676,136974,127102,140676,119698,134506,
                38254,138208,85146,0,39488,39488,39488,39488,39488,61700,
                135740,149314,39488,138208,140676,136974,127102,140676,119698,134506,
                38254,59232,60466,65402,55530,66636,55530,60466,60466,0,
                141910,54296,129570,143144,39488,138208,140676,136974,145612,124634,
                38254,39488,75274,75274,75274,75274,75274,75274,75274,75274,
                141910,39488,143144,128336,119698,143144,39488,149314,136974,144378,
                38254,75274,75274,75274,75274,75274,75274,75274,75274,75274,
                48126,119698,140676,124634,39488,140676,124634,119698,133272,133272,
                38254,75274,1522756,1522756,1522756,1522756,1522756,1522756,1522756,0,
                149314,39488,127102,140676,124634,119698,143144,40722,81444,59232,
                38254,39488,98720,133272,124634,119698,141910,124634,39488,85146,
                141910,54296,129570,143144,39488,138208,140676,136974,145612,124634,
                38254,135740,143144,124634,140676,39488,109826,136974,144378,140676,
                144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
                38254,39488,96252,119698,134506,124634,49360,69104,50594,71572,
                144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
                39488,13574,13574,13574,13574,13574,13574,13574,13574,309734,
                144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
                75274,136974,273948,410922,547896,684870,821844,958818,1095792,309734,
                144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
                76508,81444,83912,78976,115996,78976,2468,3702,7404,309734,
                141910,54296,129570,143144,39488,138208,140676,136974,145612,124634,
                77742,141910,54296,129570,143144,39488,138208,140676,136974,309734,
                144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
                38254,39488,98720,133272,124634,119698,141910,124634,39488,85146,
                144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
                38254,135740,143144,124634,140676,39488,80210,122166,122166,124634,
                144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
                38254,141910,141910,39488,82678,136974,123400,124634,49360,1522756,
                144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
                38254,69104,50594,71572,1522756,1522756,1522756,1522756,1522756,1522756,
                144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
                39488,14808,25914,14808,25914,13574,38254,64168,54296,544194,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
                78976,233226,161654,166590,170292,186334,135740,12340,24680,568874,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
                80210,0,0,0,0,0,0,0,12340,24680,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
                81444,0,0,0,0,0,0,0,12340,24680,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
                82678,0,0,0,0,0,0,0,12340,24680,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
                83912,0,0,0,0,0,0,0,12340,24680,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
                85146,0,0,0,0,0,0,0,12340,24680,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
                86380,0,0,0,0,0,0,0,12340,24680,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
                87614,0,0,0,0,0,0,0,12340,24680,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
                88848,0,0,0,0,0,0,0,12340,24680,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
                38254,0,39488,107358,140676,136974,135740,127102,56764,1522756,
                38254,0,39488,80210,122166,122166,124634,141910,141910,1522756,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
                38254,39488,102422,144378,122166,122166,124634,141910,141910,125868,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
                38254,144378,133272,133272,149314,56764,1522756,1522756,1522756,1522756,
                143144,128336,129570,141910,39488,92550,124634,149314,127102,124634
};
char a;
char b[256];
int e;
int ck(int num)
{
        if(num!=0)return 1;else return 0;
}
int vmRun(int array[10])
{
VIRTUALIZER_START;//CodeVirtualizer加壳标志
        for (int i = 0;i <10;i++)
        {
                if (i!=0)
                {
                        switch (array[0])
                        {
                        case 31:
                                {
                                        if (array[i]==00) {cout<<endl;break;}
                                        if (array[i]==1234) break;
                                        a=array[i];
                                        cout<<a;
                                        break;
                                }
                        }
                }
                else
                {
                        if (array[0]==32)
                        {
                                e=array[9];
                                cin>>b;
                                for (int nn =0;nn < 8;nn++)
                                {
                                        code[array[9]+nn]=b[0+nn];
                                }
                        }
                        if (array[0]==61)
                        {
                                for (int nn =0;nn < 8;nn++)
                                {
                                        code[array[9]+nn]&=array[nn+1];
                                }
                        }
                        if (array[0]==62)
                        {
                                for (int nn =0;nn < 8;nn++)
                                {
                                        if (nn<7)
                                                code[array[9]+nn]+=(int)sin(code[array[9]+nn+1]);
                                        else
                                                code[array[9]+nn]+=(int)sin(code[array[9]]);
                                }
                        }
                        if (array[0]==63)
                        {
                                for (int nn =0;nn < 8;nn++)
                                {
                                        code[array[9]+nn]=(int)(53+4*sin(code[array[9]+nn]));
                                }
                        }
                        if (array[0]==64)
                        {
                                for (int nn =0;nn < 8;nn++)
                                {
                                        code[array[9]+nn]=code[e+nn]-code[251+nn];
                                }
                        }
                        for (int f=65;f<73;f++)
                        {
                                if (array[0]==f)
                                {
                                        return array[9-ck(code[461+f-65])];
                                }
                        }
                }
        }
        
        return 20;
VIRTUALIZER_END;
}

void main()
{
        int n=0,c=0;
        int array[10]={0,0,0,0,0,0,0,0,0,0};
        for (int i = 0;i < sizeof(code)/sizeof(code[1]);i+=0)
        {
                n=0;
                while(n<10)
                {
                        array[n]=code[i+n]/1234;
                        n++;
                }
                c=vmRun(array);
                i+=c;
        }
        cout<<endl<<endl<<endl<<endl;
        getchar();
}


这不仔细看是看不出什么来的,用了个幼儿园级别的虚拟函数vmRun来解释code
真实算法翻译成伪代码:
Put Name inArray[2 to 9];
//Array {2 3 4 56 7 8 9}
[2]= [2]and111
[3]=[3]and222
[9]=[9]and888 …算法(SF)1

[2]=[2]+sin([3] )//sin取整
[3]=[3]+sin([4] )
[9]=[9]+sin([2] )…SF2

[2]=53+4*sin( [2])//+后结果取整sin结果保留小数
[3]=53+4*sin( [3])
[9]=53+4*sin( [9])…SF3
//至此[2to9]中保留8位1-9字符的ASCII码(49-57)即accesscode
//明码...

简单说说这个解释器吧,main中循环抽取code中的指令(均乘以1234了,还原),一次抽取10个放在array里,丢给vmRun解释:
Array[10] info:
  
1
  
2
3
4
5
6
7
8
9
10
Type
data
data
data
data
data
data
data
data
data
其中:

Type   Func        data  Func
  31     cout            0      endl
  32     cin           1234 useless
  61     SF1
  62     SF2
  63     SF3
65-72  chk


vmRun函数里头的cin /out由1位的31/32带过,接着便是61/62/63的三个算法,代码里头都能看的看清楚

最后便是check结果了,当1位是65-72时,通过检查输入的值与算出的值的异同,来设定vmRun的返回值,如果相同(即正确),则返回第10位(20),否则返回第9位(10),vmRun的返回值作为main()中for()的跳转。


据算法可以找到爆破处(将code中的65-72中的第九位换成20就OK啦),



65*1234=80210=01 39 52



从此处开始搜索12340(10*1234),8处替换为24680(20*1234  十六68 60)即可完成爆破

保存文件如下(把upx脱了或者直接内存补丁)



爆破结果:



样也可以追码(明码硬伤),

code hex转int:



锁定32(cin *1234后为39488)输入name "52pojie."之后发现:



ascii码翻译过来为21851887,输入AccessCode即可



当然这是我知道源码的情况下OD中破解,不知道源码也可以稍稍分析下,IDA可以逆出main中的算法,不过由于vmRun虚拟处理了下,爆破的话就只能从CODE里头下手咯。。。追码什么的,简单了,已经在上文说明了。


到这就结束了吧,给个传送门:
Nooby牛参赛CM,学了根头发丝儿,虽然不知道它的原理....

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?注册[Register]

x

免费评分

参与人数 2热心值 +2 收起 理由
蚯蚓翔龙 + 1 VirtualizerSDK的感觉好复杂有木有
黑龍 + 1 火钳刘明

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

黑龍 发表于 2015-6-12 12:03
牛逼!!!!!!
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-24 21:45

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表